SlideShare une entreprise Scribd logo

LDAP Synchronization Connector presentation at LDAPCon 2009

Jonathan Clarke
Jonathan Clarke
1  sur  28
Télécharger pour lire hors ligne
LDAPCon 2009 20/09/2009 Jonathan Clarke jonathan@phillipoux.net 20/09/2009 http://lsc-project.org Page 1
LDAPCon 2009 Introduction ● LDAP directories are commonly used to store identity information ● Provisioning for identity management is easy … – Just put all employee information in a directory! ● Simple, right? … well, yes, but … – « HR already has software that only stores identity  information in a database » – « We use Active Directory for our desktops and we  need users' identities there too » – « XYZ software already uses a different directory » 20/09/2009 http://lsc-project.org Page 2
LDAPCon 2009 Introduction ● Several different identity repositories – How to make sure the same changes apply? ● New employees ● Name changes (marriage), transfers... ● Employees leaving ● Manual synchronization? – Leads to a mess, leaving old accounts active … ● Automatic synchronization? 20/09/2009 http://lsc-project.org Page 3
LDAPCon 2009 Introduction ● Automatic synchronization – It already exists, and works great ● Directory- / database-specific replication ● Application-specific connectors (AD, SAP, etc) – What about the rest? ● Between different databases, directories, files? ● Different data models? ● Using standards: LDAP, SQL, etc...? 20/09/2009 http://lsc-project.org Page 4
LDAPCon 2009 About LSC Project ● What is LSC? – LDAP Synchronization Connector – Open Source project – BSD licence – Written in Java – 4 years in the making – 1 year ago LSC-project.org created – 6 regular contributors ● Website: http://lsc-project.org 20/09/2009 http://lsc-project.org Page 5
LDAPCon 2009 Goals – functionality ● Read/write to any database or LDAP directory – Standard LDAPv3 operations – JDBC connectors for databases ● Transform data on-the-fly – Adapt to a different data model – JavaScript based engine to manipulate data ● Adjustable updates: default, keep, force or merge 20/09/2009 http://lsc-project.org Page 6
LDAPCon 2009 Goals – usability ● Quickly implement a new synchronization ● Highly configurable – What exactly do we read? – Powerful transformations (correctness is important) – What exactly do we write? ● Run fast (performance is important) ● Easy to setup 20/09/2009 http://lsc-project.org Page 7
LDAPCon 2009 Philosophy ● Make it possible, now! ● Make it more stable and safer – Open Source benefits over home-grown scripts – More secure and better tested – Don't reinvent a buggy wheel! ● Make it faster and simpler – Faster than writing home-grown scripts – Provide methods for IAM and directory-specific tasks ● This is not the ultimate solution … 20/09/2009 http://lsc-project.org Page 8
LDAPCon 2009 LSC synchronization principles ● Two levels of information per identity 1. Existence – equivalent to an account (LDAP entry) 2. Identity specific details – names, phone numbers (LDAP attributes and values) ● A unique ID: the pivot attribute(s) ● Synchronization operations ● Create: Add entries from source to destination ● Delete: Delete entries from destination not in source ● Update: Compare and set specific details 20/09/2009 http://lsc-project.org Page 9
LDAPCon 2009 LSC synchronization principles ● First step: sync – Get a list of all pivots from the source – For each pivot ● Read the source object ● Search for the destination object with pivot ● Build up desired destination object by applying transformations to source object ● If the destination object exists, calculate modifications ● Apply: create or modify 20/09/2009 http://lsc-project.org Page 10
LDAPCon 2009 LSC synchronization principles ● Second step: clean (optional) – Get a list of all pivots from the destination – For each pivot ● Search for the source object with pivot ● If the source object doesn't exists, delete from destination ● Apply: delete 20/09/2009 http://lsc-project.org Page 11
LDAPCon 2009 Defining a synchronization ● Source type: LDAP / SQL database / CSV file ? ● Population: Which users? Which pivot? ● Information: Attributes? Transformations? 20/09/2009 http://lsc-project.org Page 12
LDAPCon 2009 Software design Data Transformation Target Source Base de données Abstraction SQL Interface (IBATIS) Objet JDBC Sérialisation (XML) Objet LDAP BEAN Annuaire Traitement LSC Moteur Objet JNDI Objet LDAP 20/09/2009 http://lsc-project.org Page 13
LDAPCon 2009 Example: MySQL to OpenLDAP ● MySQL: a simple users table (HR-style) Field Type Values id INT Auto-increment first_name VARCHAR « Jane » last_name VARCHAR « Doe » marital_status ENUM « Single » / « Married » / « Divorced » salary INT 42000 start_date DATE 1st October 2009 20/09/2009 http://lsc-project.org Page 14
LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuring the source database – JDBC connector: com.mysql.jdbc... – URL, username, password – Simple SQL request SELECT id AS uid, first_name AS givenName, last_name AS sn, start_date AS startDate FROM users 20/09/2009 http://lsc-project.org Page 15
LDAPCon 2009 Example: MySQL to OpenLDAP ● OpenLDAP: inetOrgPerson entries Field Type Values givenName String first_name (ex: « Jane ») sn String last_name (ex: « Doe ») cn String LAST_NAME, first_name (ex: « DOE, Jane ») userPassword Binary string Defaults to « CHANGEME » uid String Unique id from MySQL table 20/09/2009 http://lsc-project.org Page 16
LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuring the destination directory dst.java.naming.provider.url = ldap://localhost/dc=lsc-project,dc=org dst.java.naming.security.authentication = simple dst.java.naming.security.principal = cn=Manager,dc=lsc-project,dc=org dst.java.naming.security.credentials = secret 20/09/2009 http://lsc-project.org Page 17
LDAPCon 2009 Example: MySQL to OpenLDAP ● Configure the synchronization task – Source directory searching lsc.tasks = MyTask lsc.tasks.MyTask.type = db2ldap lsc.tasks.MyTask.dstService.baseDn = ou=People lsc.tasks.MyTask.dstService.pivotAttrs = uid lsc.tasks.MyTask.dstService.filterAll = (uid=*) lsc.tasks.MyTask.dstService.attrs = uid sn cn givenName userPassword lsc.tasks.MyTask.dstService.filterId = (uid={uid}) – DN generation lsc.tasks.MyTask.dn = "uid=" + srcBean.getAttributeValueById("uid") + "ou=People" 20/09/2009 http://lsc-project.org Page 18
LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuration data transformations (syncoptions) lsc.syncoptions.MyTask.default.action = F lsc.syncoptions.MyTask.cn.force_value = srcBean.getAttributeValueById("sn").toUpperCase() + ", " + srcBean.getAttributeValueById("givenName") lsc.syncoptions.MyTask.userPassword.action = K lsc.syncoptions.MyTask.userPassword.default_value = SecurityUtils.hash(SecurityUtils.MD5, "CHANGEME") 20/09/2009 http://lsc-project.org Page 19
LDAPCon 2009 Features overview ● Syncoptions offer unlimited possibilites – Text transformations ● cn = givenName + SPACE + SN in caps ● Filter accents: convert « Hélène » to « Helene » – Hash passwords (SSHA, MD5, etc) – Simple LDAP bind test – Active Directory specifics: ● UserAccountControl: deactivate accounts, force password changes, etc … ● UnicodePwd: update passwords in AD-style – Anything else you can write in Java! 20/09/2009 http://lsc-project.org Page 20
LDAPCon 2009 Features overview ● Operation conditions – Perform ADDs / MODIFYs / MODRDNs / DELETEs conditionally ● Use-cases: – Update-only synchronizations (never create, never delete) – Only update the password if it's changed (perform a LDAP bind operation to check on the fly) – Delete an account after 60 days of inactivity 20/09/2009 http://lsc-project.org Page 21
LDAPCon 2009 Features overview ● Attribute-level priorities for update – FORCE: replace the destination value whatever – KEEP: leave the destination value as-is – DEFAULT: value to use if the destination is empty – CREATE: default value for new entries ● Use cases: – Provide a default password but don't squash real one – Force phone numbers if we're authoritative for them 20/09/2009 http://lsc-project.org Page 22
LDAPCon 2009 Features overview ● Detailed and configurable logging – LDIF format (fully RFC-compliant) – CSV format ● Audit or play back modifications 20/09/2009 http://lsc-project.org Page 23
LDAPCon 2009 Perspectives ● Project is currently in stable status – Version 1.1.0 released ● Ideas for improvement are everywhere: – Implement directory-specific replication systems ● LDAP sync (RFC 4533) for OpenLDAP, ApacheDS ● DirSync for Microsoft AD ● Others? – Support other scripting languages – Plugins to integrate into entreprise workflows – Anything else … 20/09/2009 http://lsc-project.org Page 24
LDAPCon 2009 Try it out! Get involved! ● Main website: http://lsc-project.org/ – Tutorials: quickstart demo, detailed tutorials – Reference documentation 20/09/2009 http://lsc-project.org Page 25
LDAPCon 2009 Try it out! Get involved! ● Getting help (keep in touch!) – Mailing lists: http://lists.lsc-project.org/ – IRC: #lsc-project on Freenode ● Development tools: – Redmine forge: http://tools.lsc-project.org/ – Bugtracker, SVN repository … – Continuous build server ● Lots of tests based on OpenDS 20/09/2009 http://lsc-project.org Page 26
LDAPCon 2009 Success stories Private: Database to directory Active Directory 8 different instances to OpenLDAP Public: Oracle and MySQL to OpenLDAP CSV files to OpenLDAP 250 000 entries 20/09/2009 http://lsc-project.org Page 27
LDAPCon 2009 Thanks for your attention! Any questions? Jonathan Clarke jonathan@phillipoux.net 20/09/2009 http://lsc-project.org Page 28

Recommandé

XML2004
XML2004XML2004
XML2004aschwarzman
 
LSC@LDAPCon 2011
LSC@LDAPCon 2011LSC@LDAPCon 2011
LSC@LDAPCon 2011sbahloul
 
Deawsj 7 ppt-1_b
Deawsj 7 ppt-1_bDeawsj 7 ppt-1_b
Deawsj 7 ppt-1_bNiit Care
 
Deawsj 7 ppt-2_a
Deawsj 7 ppt-2_aDeawsj 7 ppt-2_a
Deawsj 7 ppt-2_aNiit Care
 
Java Web services
Java Web servicesJava Web services
Java Web servicesSujit Kumar
 
Metadata lecture 5 part 2
Metadata lecture 5 part 2Metadata lecture 5 part 2
Metadata lecture 5 part 2Richard.Sapon-White
 
Avik_RailsTutorial
Avik_RailsTutorialAvik_RailsTutorial
Avik_RailsTutorialtutorialsruby
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010Jonathan Clarke
 

Recommandé

XML2004
XML2004XML2004
XML2004aschwarzman
 
LSC@LDAPCon 2011
LSC@LDAPCon 2011LSC@LDAPCon 2011
LSC@LDAPCon 2011sbahloul
 
Deawsj 7 ppt-1_b
Deawsj 7 ppt-1_bDeawsj 7 ppt-1_b
Deawsj 7 ppt-1_bNiit Care
 
Deawsj 7 ppt-2_a
Deawsj 7 ppt-2_aDeawsj 7 ppt-2_a
Deawsj 7 ppt-2_aNiit Care
 
Java Web services
Java Web servicesJava Web services
Java Web servicesSujit Kumar
 
Metadata lecture 5 part 2
Metadata lecture 5 part 2Metadata lecture 5 part 2
Metadata lecture 5 part 2Richard.Sapon-White
 
Avik_RailsTutorial
Avik_RailsTutorialAvik_RailsTutorial
Avik_RailsTutorialtutorialsruby
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010Jonathan Clarke
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010 LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010RUDDER
 
XML in software development
XML in software developmentXML in software development
XML in software developmentLars Marius Garshol
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
JDBC : Java Database Connectivity
JDBC : Java Database Connectivity JDBC : Java Database Connectivity
JDBC : Java Database Connectivity DevAdnani
 
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)John Dalsgaard
 
DBIx::Class vs. DBix::DataModel
DBIx::Class vs. DBix::DataModelDBIx::Class vs. DBix::DataModel
DBIx::Class vs. DBix::DataModelLaurent Dami
 
OSOM - Ruby on Rails
OSOM - Ruby on Rails OSOM - Ruby on Rails
OSOM - Ruby on Rails Marcela Oniga
 
Java Web Services
Java Web ServicesJava Web Services
Java Web ServicesJussi Pohjolainen
 
Ruby on rails for beginers
Ruby on rails for beginersRuby on rails for beginers
Ruby on rails for beginersshanmukhareddy dasi
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Change RelationalDB to GraphDB with OrientDB
Change RelationalDB to GraphDB with OrientDBChange RelationalDB to GraphDB with OrientDB
Change RelationalDB to GraphDB with OrientDBApaichon Punopas
 
Linked services
Linked servicesLinked services
Linked servicesCarlos Pedrinaci
 
Using MRuby in a database
Using MRuby in a databaseUsing MRuby in a database
Using MRuby in a databaseArangoDB Database
 
A powerful web application server (intravision IBM Connect 2013 Update) Febru...
A powerful web application server (intravision IBM Connect 2013 Update) Febru...A powerful web application server (intravision IBM Connect 2013 Update) Febru...
A powerful web application server (intravision IBM Connect 2013 Update) Febru...Per Henrik Lausten
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP IntegrationDell World
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)Jonathan Clarke
 
Presentatie Boxit Connecto1
Presentatie Boxit Connecto1Presentatie Boxit Connecto1
Presentatie Boxit Connecto1Maarten Poppenk
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAPLDAPCon
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarForgeRock
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementLDAPCon
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory servicesLDAPCon
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 

Contenu connexe

Tendances

LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010 LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010RUDDER
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
JDBC : Java Database Connectivity
JDBC : Java Database Connectivity JDBC : Java Database Connectivity
JDBC : Java Database Connectivity DevAdnani
 
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)John Dalsgaard
 
DBIx::Class vs. DBix::DataModel
DBIx::Class vs. DBix::DataModelDBIx::Class vs. DBix::DataModel
DBIx::Class vs. DBix::DataModelLaurent Dami
 
OSOM - Ruby on Rails
OSOM - Ruby on Rails OSOM - Ruby on Rails
OSOM - Ruby on Rails Marcela Oniga
 
Change RelationalDB to GraphDB with OrientDB
Change RelationalDB to GraphDB with OrientDBChange RelationalDB to GraphDB with OrientDB
Change RelationalDB to GraphDB with OrientDBApaichon Punopas
 
A powerful web application server (intravision IBM Connect 2013 Update) Febru...
A powerful web application server (intravision IBM Connect 2013 Update) Febru...A powerful web application server (intravision IBM Connect 2013 Update) Febru...
A powerful web application server (intravision IBM Connect 2013 Update) Febru...Per Henrik Lausten
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP IntegrationDell World
 

Tendances (15)

LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010 LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010
 
XML in software development
XML in software developmentXML in software development
XML in software development
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory Services
 
JDBC : Java Database Connectivity
JDBC : Java Database Connectivity JDBC : Java Database Connectivity
JDBC : Java Database Connectivity
 
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)
RESTful services on IBM Domino/XWork (SUTOL 11 Nov. 2015 in Prague)
 
DBIx::Class vs. DBix::DataModel
DBIx::Class vs. DBix::DataModelDBIx::Class vs. DBix::DataModel
DBIx::Class vs. DBix::DataModel
 
OSOM - Ruby on Rails
OSOM - Ruby on Rails OSOM - Ruby on Rails
OSOM - Ruby on Rails
 
Java Web Services
Java Web ServicesJava Web Services
Java Web Services
 
Ruby on rails for beginers
Ruby on rails for beginersRuby on rails for beginers
Ruby on rails for beginers
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
Change RelationalDB to GraphDB with OrientDB
Change RelationalDB to GraphDB with OrientDBChange RelationalDB to GraphDB with OrientDB
Change RelationalDB to GraphDB with OrientDB
 
Linked services
Linked servicesLinked services
Linked services
 
Using MRuby in a database
Using MRuby in a databaseUsing MRuby in a database
Using MRuby in a database
 
A powerful web application server (intravision IBM Connect 2013 Update) Febru...
A powerful web application server (intravision IBM Connect 2013 Update) Febru...A powerful web application server (intravision IBM Connect 2013 Update) Febru...
A powerful web application server (intravision IBM Connect 2013 Update) Febru...
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP Integration
 

En vedette

LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)Jonathan Clarke
 
Presentatie Boxit Connecto1
Presentatie Boxit Connecto1Presentatie Boxit Connecto1
Presentatie Boxit Connecto1Maarten Poppenk
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAPLDAPCon
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarForgeRock
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementLDAPCon
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory servicesLDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3LDAPCon
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCLDAPCon
 
Opendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesOpendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesClaudio Borges
 

En vedette (10)

LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)
 
Presentatie Boxit Connecto1
Presentatie Boxit Connecto1Presentatie Boxit Connecto1
Presentatie Boxit Connecto1
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
 
LDAP
LDAPLDAP
LDAP
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
Opendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummiesOpendj - A LDAP Server for dummies
Opendj - A LDAP Server for dummies
 

Similaire à LDAP Synchronization Connector presentation at LDAPCon 2009

Experiences with Evangelizing Java Within the Database
Experiences with Evangelizing Java Within the DatabaseExperiences with Evangelizing Java Within the Database
Experiences with Evangelizing Java Within the DatabaseMarcelo Ochoa
 
Webinar: Applying REST to Network Management – An Implementor’s View
Webinar: Applying REST to Network Management – An Implementor’s View Webinar: Applying REST to Network Management – An Implementor’s View
Webinar: Applying REST to Network Management – An Implementor’s View Tail-f Systems
 
GraphQL is actually rest
GraphQL is actually restGraphQL is actually rest
GraphQL is actually restJakub Riedl
 
Slides semantic web and Drupal 7 NYCCamp 2012
Slides semantic web and Drupal 7 NYCCamp 2012Slides semantic web and Drupal 7 NYCCamp 2012
Slides semantic web and Drupal 7 NYCCamp 2012scorlosquet
 
Slaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP serverSlaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP serverESUG
 
Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Dobrica Pavlinušić
 
MongoDB NoSQL - Developer Guide
MongoDB NoSQL - Developer GuideMongoDB NoSQL - Developer Guide
MongoDB NoSQL - Developer GuideShiv K Sah
 
Querying Mongo Without Programming Using Funql
Querying Mongo Without Programming Using FunqlQuerying Mongo Without Programming Using Funql
Querying Mongo Without Programming Using FunqlMongoDB
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euFrancesco Chicchiriccò
 
Know Your Competitor - Oracle 10g Express Edition
Know Your Competitor - Oracle 10g Express EditionKnow Your Competitor - Oracle 10g Express Edition
Know Your Competitor - Oracle 10g Express EditionRonald Bradford
 
Ruby on Rails (RoR) as a back-end processor for Apex
Ruby on Rails (RoR) as a back-end processor for Apex Ruby on Rails (RoR) as a back-end processor for Apex
Ruby on Rails (RoR) as a back-end processor for Apex Espen Brækken
 
Development without Constraint
Development without ConstraintDevelopment without Constraint
Development without ConstraintChad Davis
 
Getting started with entity framework revised 9 09
Getting started with entity framework revised 9 09Getting started with entity framework revised 9 09
Getting started with entity framework revised 9 09manisoft84
 

Similaire à LDAP Synchronization Connector presentation at LDAPCon 2009 (20)

Experiences with Evangelizing Java Within the Database
Experiences with Evangelizing Java Within the DatabaseExperiences with Evangelizing Java Within the Database
Experiences with Evangelizing Java Within the Database
 
ArangoDB
ArangoDBArangoDB
ArangoDB
 
Samba management Console
Samba management ConsoleSamba management Console
Samba management Console
 
Webinar: Applying REST to Network Management – An Implementor’s View
Webinar: Applying REST to Network Management – An Implementor’s View Webinar: Applying REST to Network Management – An Implementor’s View
Webinar: Applying REST to Network Management – An Implementor’s View
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
 
GraphQL is actually rest
GraphQL is actually restGraphQL is actually rest
GraphQL is actually rest
 
Slides semantic web and Drupal 7 NYCCamp 2012
Slides semantic web and Drupal 7 NYCCamp 2012Slides semantic web and Drupal 7 NYCCamp 2012
Slides semantic web and Drupal 7 NYCCamp 2012
 
Node.js an Exectutive View
Node.js an Exectutive ViewNode.js an Exectutive View
Node.js an Exectutive View
 
Slaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP serverSlaps - a Smalltalk LDAP server
Slaps - a Smalltalk LDAP server
 
NoSql Databases
NoSql DatabasesNoSql Databases
NoSql Databases
 
Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?
 
MongoDB NoSQL - Developer Guide
MongoDB NoSQL - Developer GuideMongoDB NoSQL - Developer Guide
MongoDB NoSQL - Developer Guide
 
Apache Spark on HDinsight Training
Apache Spark on HDinsight TrainingApache Spark on HDinsight Training
Apache Spark on HDinsight Training
 
Querying Mongo Without Programming Using Funql
Querying Mongo Without Programming Using FunqlQuerying Mongo Without Programming Using Funql
Querying Mongo Without Programming Using Funql
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con eu
 
Know Your Competitor - Oracle 10g Express Edition
Know Your Competitor - Oracle 10g Express EditionKnow Your Competitor - Oracle 10g Express Edition
Know Your Competitor - Oracle 10g Express Edition
 
Ruby on Rails (RoR) as a back-end processor for Apex
Ruby on Rails (RoR) as a back-end processor for Apex Ruby on Rails (RoR) as a back-end processor for Apex
Ruby on Rails (RoR) as a back-end processor for Apex
 
Clojure - Why does it matter?
Clojure - Why does it matter?Clojure - Why does it matter?
Clojure - Why does it matter?
 
Development without Constraint
Development without ConstraintDevelopment without Constraint
Development without Constraint
 
Getting started with entity framework revised 9 09
Getting started with entity framework revised 9 09Getting started with entity framework revised 9 09
Getting started with entity framework revised 9 09
 

Plus de Jonathan Clarke

Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersJonathan Clarke
 
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Jonathan Clarke
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6Jonathan Clarke
 
Automating security policies (compliance) with Rudder
Automating security policies (compliance) with RudderAutomating security policies (compliance) with Rudder
Automating security policies (compliance) with RudderJonathan Clarke
 
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalOpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalJonathan Clarke
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Jonathan Clarke
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)Jonathan Clarke
 

Plus de Jonathan Clarke (8)

Rudder 3.0 and beyond
Rudder 3.0 and beyondRudder 3.0 and beyond
Rudder 3.0 and beyond
 
Interfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert usersInterfacing infrastructure-as-code with non-expert users
Interfacing infrastructure-as-code with non-expert users
 
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...Sharing automation - why we need a language like ncf for this (Ignite @ devop...
Sharing automation - why we need a language like ncf for this (Ignite @ devop...
 
What is new in CFEngine 3.6
What is new in CFEngine 3.6What is new in CFEngine 3.6
What is new in CFEngine 3.6
 
Automating security policies (compliance) with Rudder
Automating security policies (compliance) with RudderAutomating security policies (compliance) with Rudder
Automating security policies (compliance) with Rudder
 
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéalOpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
OpenLDAP - Astuces pour en faire l'annuaire d'entreprise idéal
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...
 
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)A tale of Disaster Recovery (Cfengine everyday, practices and tools)
A tale of Disaster Recovery (Cfengine everyday, practices and tools)
 

LDAP Synchronization Connector presentation at LDAPCon 2009

  • 1. LDAPCon 2009 20/09/2009 Jonathan Clarke jonathan@phillipoux.net 20/09/2009 http://lsc-project.org Page 1
  • 2. LDAPCon 2009 Introduction ● LDAP directories are commonly used to store identity information ● Provisioning for identity management is easy … – Just put all employee information in a directory! ● Simple, right? … well, yes, but … – « HR already has software that only stores identity  information in a database » – « We use Active Directory for our desktops and we  need users' identities there too » – « XYZ software already uses a different directory » 20/09/2009 http://lsc-project.org Page 2
  • 3. LDAPCon 2009 Introduction ● Several different identity repositories – How to make sure the same changes apply? ● New employees ● Name changes (marriage), transfers... ● Employees leaving ● Manual synchronization? – Leads to a mess, leaving old accounts active … ● Automatic synchronization? 20/09/2009 http://lsc-project.org Page 3
  • 4. LDAPCon 2009 Introduction ● Automatic synchronization – It already exists, and works great ● Directory- / database-specific replication ● Application-specific connectors (AD, SAP, etc) – What about the rest? ● Between different databases, directories, files? ● Different data models? ● Using standards: LDAP, SQL, etc...? 20/09/2009 http://lsc-project.org Page 4
  • 5. LDAPCon 2009 About LSC Project ● What is LSC? – LDAP Synchronization Connector – Open Source project – BSD licence – Written in Java – 4 years in the making – 1 year ago LSC-project.org created – 6 regular contributors ● Website: http://lsc-project.org 20/09/2009 http://lsc-project.org Page 5
  • 6. LDAPCon 2009 Goals – functionality ● Read/write to any database or LDAP directory – Standard LDAPv3 operations – JDBC connectors for databases ● Transform data on-the-fly – Adapt to a different data model – JavaScript based engine to manipulate data ● Adjustable updates: default, keep, force or merge 20/09/2009 http://lsc-project.org Page 6
  • 7. LDAPCon 2009 Goals – usability ● Quickly implement a new synchronization ● Highly configurable – What exactly do we read? – Powerful transformations (correctness is important) – What exactly do we write? ● Run fast (performance is important) ● Easy to setup 20/09/2009 http://lsc-project.org Page 7
  • 8. LDAPCon 2009 Philosophy ● Make it possible, now! ● Make it more stable and safer – Open Source benefits over home-grown scripts – More secure and better tested – Don't reinvent a buggy wheel! ● Make it faster and simpler – Faster than writing home-grown scripts – Provide methods for IAM and directory-specific tasks ● This is not the ultimate solution … 20/09/2009 http://lsc-project.org Page 8
  • 9. LDAPCon 2009 LSC synchronization principles ● Two levels of information per identity 1. Existence – equivalent to an account (LDAP entry) 2. Identity specific details – names, phone numbers (LDAP attributes and values) ● A unique ID: the pivot attribute(s) ● Synchronization operations ● Create: Add entries from source to destination ● Delete: Delete entries from destination not in source ● Update: Compare and set specific details 20/09/2009 http://lsc-project.org Page 9
  • 10. LDAPCon 2009 LSC synchronization principles ● First step: sync – Get a list of all pivots from the source – For each pivot ● Read the source object ● Search for the destination object with pivot ● Build up desired destination object by applying transformations to source object ● If the destination object exists, calculate modifications ● Apply: create or modify 20/09/2009 http://lsc-project.org Page 10
  • 11. LDAPCon 2009 LSC synchronization principles ● Second step: clean (optional) – Get a list of all pivots from the destination – For each pivot ● Search for the source object with pivot ● If the source object doesn't exists, delete from destination ● Apply: delete 20/09/2009 http://lsc-project.org Page 11
  • 12. LDAPCon 2009 Defining a synchronization ● Source type: LDAP / SQL database / CSV file ? ● Population: Which users? Which pivot? ● Information: Attributes? Transformations? 20/09/2009 http://lsc-project.org Page 12
  • 13. LDAPCon 2009 Software design Data Transformation Target Source Base de données Abstraction SQL Interface (IBATIS) Objet JDBC Sérialisation (XML) Objet LDAP BEAN Annuaire Traitement LSC Moteur Objet JNDI Objet LDAP 20/09/2009 http://lsc-project.org Page 13
  • 14. LDAPCon 2009 Example: MySQL to OpenLDAP ● MySQL: a simple users table (HR-style) Field Type Values id INT Auto-increment first_name VARCHAR « Jane » last_name VARCHAR « Doe » marital_status ENUM « Single » / « Married » / « Divorced » salary INT 42000 start_date DATE 1st October 2009 20/09/2009 http://lsc-project.org Page 14
  • 15. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuring the source database – JDBC connector: com.mysql.jdbc... – URL, username, password – Simple SQL request SELECT id AS uid, first_name AS givenName, last_name AS sn, start_date AS startDate FROM users 20/09/2009 http://lsc-project.org Page 15
  • 16. LDAPCon 2009 Example: MySQL to OpenLDAP ● OpenLDAP: inetOrgPerson entries Field Type Values givenName String first_name (ex: « Jane ») sn String last_name (ex: « Doe ») cn String LAST_NAME, first_name (ex: « DOE, Jane ») userPassword Binary string Defaults to « CHANGEME » uid String Unique id from MySQL table 20/09/2009 http://lsc-project.org Page 16
  • 17. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuring the destination directory dst.java.naming.provider.url = ldap://localhost/dc=lsc-project,dc=org dst.java.naming.security.authentication = simple dst.java.naming.security.principal = cn=Manager,dc=lsc-project,dc=org dst.java.naming.security.credentials = secret 20/09/2009 http://lsc-project.org Page 17
  • 18. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configure the synchronization task – Source directory searching lsc.tasks = MyTask lsc.tasks.MyTask.type = db2ldap lsc.tasks.MyTask.dstService.baseDn = ou=People lsc.tasks.MyTask.dstService.pivotAttrs = uid lsc.tasks.MyTask.dstService.filterAll = (uid=*) lsc.tasks.MyTask.dstService.attrs = uid sn cn givenName userPassword lsc.tasks.MyTask.dstService.filterId = (uid={uid}) – DN generation lsc.tasks.MyTask.dn = "uid=" + srcBean.getAttributeValueById("uid") + "ou=People" 20/09/2009 http://lsc-project.org Page 18
  • 19. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuration data transformations (syncoptions) lsc.syncoptions.MyTask.default.action = F lsc.syncoptions.MyTask.cn.force_value = srcBean.getAttributeValueById("sn").toUpperCase() + ", " + srcBean.getAttributeValueById("givenName") lsc.syncoptions.MyTask.userPassword.action = K lsc.syncoptions.MyTask.userPassword.default_value = SecurityUtils.hash(SecurityUtils.MD5, "CHANGEME") 20/09/2009 http://lsc-project.org Page 19
  • 20. LDAPCon 2009 Features overview ● Syncoptions offer unlimited possibilites – Text transformations ● cn = givenName + SPACE + SN in caps ● Filter accents: convert « Hélène » to « Helene » – Hash passwords (SSHA, MD5, etc) – Simple LDAP bind test – Active Directory specifics: ● UserAccountControl: deactivate accounts, force password changes, etc … ● UnicodePwd: update passwords in AD-style – Anything else you can write in Java! 20/09/2009 http://lsc-project.org Page 20
  • 21. LDAPCon 2009 Features overview ● Operation conditions – Perform ADDs / MODIFYs / MODRDNs / DELETEs conditionally ● Use-cases: – Update-only synchronizations (never create, never delete) – Only update the password if it's changed (perform a LDAP bind operation to check on the fly) – Delete an account after 60 days of inactivity 20/09/2009 http://lsc-project.org Page 21
  • 22. LDAPCon 2009 Features overview ● Attribute-level priorities for update – FORCE: replace the destination value whatever – KEEP: leave the destination value as-is – DEFAULT: value to use if the destination is empty – CREATE: default value for new entries ● Use cases: – Provide a default password but don't squash real one – Force phone numbers if we're authoritative for them 20/09/2009 http://lsc-project.org Page 22
  • 23. LDAPCon 2009 Features overview ● Detailed and configurable logging – LDIF format (fully RFC-compliant) – CSV format ● Audit or play back modifications 20/09/2009 http://lsc-project.org Page 23
  • 24. LDAPCon 2009 Perspectives ● Project is currently in stable status – Version 1.1.0 released ● Ideas for improvement are everywhere: – Implement directory-specific replication systems ● LDAP sync (RFC 4533) for OpenLDAP, ApacheDS ● DirSync for Microsoft AD ● Others? – Support other scripting languages – Plugins to integrate into entreprise workflows – Anything else … 20/09/2009 http://lsc-project.org Page 24
  • 25. LDAPCon 2009 Try it out! Get involved! ● Main website: http://lsc-project.org/ – Tutorials: quickstart demo, detailed tutorials – Reference documentation 20/09/2009 http://lsc-project.org Page 25
  • 26. LDAPCon 2009 Try it out! Get involved! ● Getting help (keep in touch!) – Mailing lists: http://lists.lsc-project.org/ – IRC: #lsc-project on Freenode ● Development tools: – Redmine forge: http://tools.lsc-project.org/ – Bugtracker, SVN repository … – Continuous build server ● Lots of tests based on OpenDS 20/09/2009 http://lsc-project.org Page 26
  • 27. LDAPCon 2009 Success stories Private: Database to directory Active Directory 8 different instances to OpenLDAP Public: Oracle and MySQL to OpenLDAP CSV files to OpenLDAP 250 000 entries 20/09/2009 http://lsc-project.org Page 27
  • 28. LDAPCon 2009 Thanks for your attention! Any questions? Jonathan Clarke jonathan@phillipoux.net 20/09/2009 http://lsc-project.org Page 28